Query ⫘
Field ⫘
node Type: Node ⫘
Arguments ⫘
id Type: ID! ⫘
Field ⫘
threatPublication Type: ThreatPublication! ⫘
Retreives a publication by ID.
Arguments ⫘
ID Type: String! ⫘
Field ⫘
threatPublications Type: [ThreatPublication] ⫘
Searches publications for text.
Arguments ⫘
text Type: String! ⫘
Field ⫘
threatLatestPublications Type: [ThreatPublication] ⫘
Gets the latest publications from an offset with a size.
Arguments ⫘
from Type: Int! ⫘
size Type: Int! ⫘
Field ⫘
threatObjectById Type: ThreatResult ⫘
Gets an object by id, name or sharing_id.
Arguments ⫘
id Type: String! ⫘
objectType Type: ThreatObjectType! ⫘
Field ⫘
threatIdentitiesByConfidence Type: [ThreatResult] ⫘
Gets identities by confidence score.
Arguments ⫘
confidence Type: Int! ⫘
Field ⫘
threatObjectsRelated Type: Boolean! ⫘
Checks if a relationship between source and target exists.
Arguments ⫘
sourceID Type: String! ⫘
targetID Type: String! ⫘
Field ⫘
threatGetRelated Type: [ThreatResult] ⫘
Gets relationship(s) between source and target(s).
Arguments ⫘
sourceID Type: String! ⫘
Field ⫘
threatWatchlist Type: [ThreatRelationship] ⫘
Gets a watchlist by type. All results are considered high confidence.
Arguments ⫘
type Type: ThreatParentType! ⫘
Field ⫘
threatIndicatorPublications Type: [ThreatReport] ⫘
Gets publications related to indicators.
Arguments ⫘
ID Type: String! ⫘
Field ⫘
threatIndicatorIntelligence Type: ThreatIndicatorIntelligence ⫘
Retrieves all intelligence associated with an indicator.
Arguments ⫘
ID Type: String! ⫘
Field ⫘
threatRelationship Type: ThreatRelationship ⫘
Gets relationship by id.
Arguments ⫘
ID Type: String! ⫘
Field ⫘
threatIdentity Type: ThreatIdentity ⫘
Gets identity by id.
Arguments ⫘
ID Type: String! ⫘
Field ⫘
threatMalware Type: ThreatMalware ⫘
Gets malware by id.
Arguments ⫘
ID Type: String! ⫘
Field ⫘
threatIdentities Type: [ThreatIdentity] ⫘
Gets identities by confidence score.
Arguments ⫘
confidence Type: Int ⫘
Field ⫘
threatVidIntelligence Type: ThreatVidIntelligence ⫘
Retrieves all intelligence associated with a VID.
Arguments ⫘
vid Type: String! ⫘
Field ⫘
threatIndicatorsIntelligence Type: [ThreatIndicatorIntelligence] ⫘
Retrieves all intelligence associated with a list of indicators.
Arguments ⫘
ID Type: [String!] ⫘
Field ⫘
lists Type: Lists! ⫘
Retrieves Custom Lists for the respective tenant
Arguments ⫘
arguments Type: ListsArguments! ⫘
Field ⫘
list Type: List ⫘
Retrieves a custom list by ID
Arguments ⫘
id Type: String! ⫘
arguments Type: ListsArguments! ⫘
Field ⫘
listItemsByTag Type: ListItems ⫘
Retrieves list items that contains the specified tag (case sensitive)
Arguments ⫘
tag Type: String! ⫘
arguments Type: ListsArguments! ⫘
Field ⫘
listItemsByName Type: ListItems ⫘
Retrieves list items by indicator name
Arguments ⫘
name Type: String! ⫘
arguments Type: ListsArguments! ⫘
Mutation ⫘
Field ⫘
indicator Type: ThreatIndicator ⫘
Arguments ⫘
id Type: String! ⫘
Field ⫘
createList Type: List! ⫘
Arguments ⫘
input Type: CreateListInput! ⫘
Field ⫘
deleteList Type: Boolean! ⫘
Arguments ⫘
input Type: DeleteListInput! ⫘
Field ⫘
restoreList Type: Boolean! ⫘
Arguments ⫘
input Type: DeleteListInput! ⫘
Objects ⫘
List ⫘
Field ⫘
id Type: ID! ⫘
Field ⫘
name Type: String! ⫘
Field ⫘
description Type: String ⫘
Field ⫘
download_url Type: String ⫘
Field ⫘
owner Type: ListOwner! ⫘
Field ⫘
item_count Type: Int ⫘
Field ⫘
global Type: Boolean! ⫘
Field ⫘
internal Type: Boolean! ⫘
Field ⫘
confidence Type: Int ⫘
Field ⫘
severity Type: Int ⫘
Field ⫘
tags Type: [String] ⫘
Field ⫘
items Type: [ListItem!] ⫘
Field ⫘
list_action Type: ListAction! ⫘
Field ⫘
created_at Type: Time! ⫘
Field ⫘
modified_at Type: Time! ⫘
Field ⫘
age_at Type: Time ⫘
Field ⫘
deleted_at Type: Time ⫘
ListInfo ⫘
Field ⫘
list_id Type: String! ⫘
Field ⫘
list_item_count Type: Int! ⫘
Field ⫘
list_name Type: String! ⫘
Field ⫘
list_action Type: ListAction! ⫘
ListItem ⫘
Field ⫘
id Type: ID! ⫘
Field ⫘
reference_id Type: String ⫘
Field ⫘
name Type: String! ⫘
Field ⫘
description Type: String ⫘
Field ⫘
item_type Type: ItemType! ⫘
Field ⫘
confidence Type: Int ⫘
Field ⫘
severity Type: Int ⫘
Field ⫘
tags Type: [String] ⫘
Field ⫘
created_at Type: Time! ⫘
Field ⫘
modified_at Type: Time! ⫘
Field ⫘
age_at Type: Time ⫘
Field ⫘
deleted_at Type: Time ⫘
ListItemToList ⫘
Field ⫘
listID Type: String! ⫘
Field ⫘
listName Type: String! ⫘
Field ⫘
listItem Type: ListItem ⫘
ListItems ⫘
Field ⫘
listItemMap Type: [ListItemToList] ⫘
ListOwner ⫘
Field ⫘
id Type: ID! ⫘
Field ⫘
tenant_id Type: String! ⫘
Field ⫘
created_at Type: Time! ⫘
Field ⫘
modified_at Type: Time! ⫘
Field ⫘
age_at Type: Time ⫘
Field ⫘
deleted_at Type: Time ⫘
Lists ⫘
Field ⫘
list_info Type: [ListInfo!] ⫘
ThreatAdvisory ⫘
Represents a CTU threat advisory report.
Field ⫘
id Type: ID! ⫘
Field ⫘
Name Type: String ⫘
Field ⫘
Content Type: String ⫘
Field ⫘
CreatedAt Type: Time ⫘
Field ⫘
PublicationDate Type: Time ⫘
Field ⫘
TLP Type: String ⫘
Field ⫘
Reference Type: String ⫘
Field ⫘
ReportID Type: String ⫘
ThreatAnalysis ⫘
Represents a threat analysis report.
Field ⫘
id Type: String! ⫘
Field ⫘
Name Type: String ⫘
Field ⫘
Content Type: String ⫘
Field ⫘
CreatedAt Type: Time ⫘
Field ⫘
PublicationDate Type: Time ⫘
Field ⫘
TLP Type: String ⫘
Field ⫘
Reference Type: String ⫘
Field ⫘
ReportID Type: String ⫘
ThreatDNSInfo ⫘
Contains relevant DNS information when it is available.
Field ⫘
Domain Type: String ⫘
Field ⫘
Hostname Type: String ⫘
Field ⫘
Subdomain Type: String ⫘
Field ⫘
Tld Type: String ⫘
ThreatGroup ⫘
Represents a threat group.
Field ⫘
type Type: ThreatObjectType! ⫘
Field ⫘
spec_version Type: String! ⫘
Field ⫘
id Type: String! ⫘
Field ⫘
sharing_id Type: String! ⫘
Field ⫘
name Type: String! ⫘
Field ⫘
Objectives Type: [String] ⫘
Field ⫘
Aliases Type: [String] ⫘
Field ⫘
Tools Type: [String] ⫘
Field ⫘
Motivation Type: [String] ⫘
Field ⫘
IntendedEffect Type: [String] ⫘
Field ⫘
TargetSectors Type: [String] ⫘
Field ⫘
Description Type: String ⫘
Field ⫘
ActiveSince Type: Time ⫘
Field ⫘
LastKnownActivity Type: Time ⫘
Field ⫘
tags Type: [String] ⫘
ThreatGroupRelationship ⫘
Field ⫘
group Type: ThreatGroup ⫘
Field ⫘
relationship Type: ThreatRelationship ⫘
ThreatHashes ⫘
Represents a set of hashes for threat objects.
Field ⫘
MD5 Type: String! ⫘
Field ⫘
SHA256 Type: String! ⫘
ThreatIdentity ⫘
Commonly represents a source of threat data.
Field ⫘
type Type: ThreatObjectType! ⫘
Field ⫘
spec_version Type: String! ⫘
Field ⫘
id Type: String! ⫘
Field ⫘
sharing_id Type: String! ⫘
Field ⫘
name Type: String! ⫘
Field ⫘
description Type: String ⫘
Field ⫘
created Type: Time ⫘
Field ⫘
modified Type: Time ⫘
Field ⫘
roles Type: [String] ⫘
Field ⫘
identity_class Type: ThreatIdentityClass ⫘
Field ⫘
sectors Type: [ThreatIndustrySectors] ⫘
Field ⫘
contact_information Type: String ⫘
Field ⫘
natural_key Type: String ⫘
Field ⫘
download_URL Type: String! ⫘
Field ⫘
internal Type: Boolean! ⫘
Field ⫘
confidence Type: Int ⫘
Field ⫘
reason Type: [String] ⫘
Field ⫘
label Type: String ⫘
Field ⫘
tags Type: [String] ⫘
ThreatIdentityRelationship ⫘
Field ⫘
identity Type: ThreatIdentity ⫘
Field ⫘
relationship Type: ThreatRelationship ⫘
ThreatIndicator ⫘
Represents an indicator of compromise.
Field ⫘
type Type: ThreatObjectType! ⫘
Field ⫘
spec_version Type: String! ⫘
Field ⫘
id Type: String! ⫘
Field ⫘
sharing_id Type: String! ⫘
Field ⫘
name Type: String! ⫘
Field ⫘
description Type: String ⫘
Field ⫘
created Type: Time ⫘
Field ⫘
modified Type: Time ⫘
Field ⫘
indicator_types Type: [ThreatIndicatorType] ⫘
Field ⫘
pattern Type: String ⫘
Field ⫘
pattern_type Type: ThreatPatternType ⫘
Field ⫘
pattern_version Type: String ⫘
Field ⫘
mitre_attack_categories Type: [String] ⫘
Field ⫘
valid_from Type: Time ⫘
Field ⫘
valid_until Type: Time ⫘
Field ⫘
kill_chain_phases Type: [ThreatKillChainPhase] ⫘
Field ⫘
score Type: Int ⫘
Field ⫘
original_indicator Type: String ⫘
Field ⫘
indicator_class Type: ThreatIndicatorClass ⫘
Field ⫘
ipv4 Type: String ⫘
Field ⫘
label Type: String ⫘
Field ⫘
dns Type: ThreatDNSInfo ⫘
Field ⫘
whois Type: ThreatWhois ⫘
Field ⫘
url_info Type: ThreatURLInfo ⫘
Field ⫘
tags Type: [String] ⫘
Field ⫘
location Type: ThreatLocation ⫘
ThreatIndicatorIntelligence ⫘
Field ⫘
indicator Type: ThreatIndicator! ⫘
Field ⫘
identities Type: [ThreatIdentityRelationship] ⫘
Field ⫘
reports Type: [ThreatReportRelationship] ⫘
Field ⫘
malware Type: [ThreatMalwareRelationship] ⫘
Field ⫘
groups Type: [ThreatGroupRelationship] ⫘
ThreatKillChainPhase ⫘
ThreatKillChainPhase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.
Field ⫘
kill_chain_name Type: String ⫘
Field ⫘
phase_name Type: String ⫘
ThreatLocation ⫘
ThreatLocation provides geolocation longitude and latitude coordinates as an indicator. Provided when available.
Field ⫘
Longitude Type: Float ⫘
Field ⫘
Latitude Type: Float ⫘
ThreatMalware ⫘
Provides available information about malware.
Field ⫘
type Type: ThreatObjectType! ⫘
Field ⫘
spec_version Type: String! ⫘
Field ⫘
id Type: String! ⫘
Field ⫘
sharing_id Type: String! ⫘
Field ⫘
name Type: String! ⫘
Field ⫘
description Type: String ⫘
Field ⫘
created Type: Time ⫘
Field ⫘
modified Type: Time ⫘
Field ⫘
malware_types Type: [ThreatMalwareType] ⫘
Field ⫘
family Type: String ⫘
Field ⫘
aliases Type: [String] ⫘
Field ⫘
kill_chain_phases Type: [ThreatKillChainPhase] ⫘
Field ⫘
first_seen Type: Time ⫘
Field ⫘
last_seen Type: Time ⫘
Field ⫘
operating_system_refs Type: [String] ⫘
Field ⫘
architecture_execution_envs Type: [ThreatArchitectureExecutionEnvs] ⫘
Field ⫘
implementation_languages Type: [ThreatImplementationLanguages] ⫘
Field ⫘
capabilities Type: [ThreatCapabilities] ⫘
Field ⫘
sample_refs Type: [String] ⫘
Field ⫘
label Type: String ⫘
Field ⫘
tags Type: [String] ⫘
Field ⫘
public_summary Type: String ⫘
Field ⫘
solution Type: String ⫘
Field ⫘
technical_details Type: String ⫘
ThreatMalwareRelationship ⫘
Field ⫘
malware Type: ThreatMalware ⫘
Field ⫘
relationship Type: ThreatRelationship ⫘
ThreatPublication ⫘
Represents a publication about a threat.
Field ⫘
id Type: ID! ⫘
Field ⫘
Type Type: String ⫘
Field ⫘
Name Type: String ⫘
Field ⫘
Description Type: String ⫘
Field ⫘
Published Type: Time ⫘
Field ⫘
Content Type: String ⫘
Field ⫘
TLP Type: String ⫘
Field ⫘
VID Type: String ⫘
Field ⫘
ReportID Type: String ⫘
Field ⫘
Reference Type: String ⫘
Field ⫘
Category Type: String ⫘
ThreatRelationship ⫘
Represents the relationship between objects in the system.
Field ⫘
type Type: ThreatObjectType! ⫘
Field ⫘
spec_version Type: String! ⫘
Field ⫘
id Type: String! ⫘
Field ⫘
sharing_id Type: String! ⫘
Field ⫘
source_sharing_id Type: String! ⫘
Field ⫘
target_sharing_id Type: String! ⫘
Field ⫘
created Type: Time ⫘
Field ⫘
modified Type: Time ⫘
Field ⫘
description Type: String ⫘
Field ⫘
src_desc Type: String ⫘
Field ⫘
tgt_desc Type: String ⫘
Field ⫘
mitre_attack_categories Type: [String] ⫘
Field ⫘
relationship_type Type: ThreatRelationshipType! ⫘
Field ⫘
source_ref Type: String! ⫘
Field ⫘
target_ref Type: String! ⫘
Field ⫘
confidence Type: Int ⫘
Field ⫘
indicator_class Type: ThreatIndicatorClass ⫘
Field ⫘
label Type: String ⫘
Field ⫘
tags Type: [String] ⫘
Field ⫘
start_time Type: Time ⫘
Field ⫘
stop_time Type: Time ⫘
Field ⫘
source_internal Type: Boolean! ⫘
Field ⫘
reference Type: String ⫘
ThreatReport ⫘
Field ⫘
type Type: ThreatObjectType! ⫘
Field ⫘
spec_version Type: String! ⫘
Field ⫘
id Type: ID! ⫘
Field ⫘
name Type: String ⫘
Field ⫘
description Type: String ⫘
Field ⫘
created Type: Time ⫘
Field ⫘
modified Type: Time ⫘
Field ⫘
published Type: Time ⫘
Field ⫘
object_refs Type: [String] ⫘
Field ⫘
content Type: String ⫘
Field ⫘
sharing_id Type: String! ⫘
Field ⫘
tags Type: [String] ⫘
ThreatReportRelationship ⫘
Field ⫘
report Type: ThreatReport ⫘
Field ⫘
relationship Type: ThreatRelationship ⫘
ThreatSwid ⫘
ThreatSwid represents an internal SWID structure.
Important
For future use. Not currently implemented.
Field ⫘
Id Type: String ⫘
Field ⫘
Author Type: String ⫘
Field ⫘
CreatedAt Type: Time ⫘
Field ⫘
EngineGroupName Type: String ⫘
Field ⫘
FileName Type: String ⫘
Field ⫘
Priority Type: Int ⫘
Field ⫘
PriorityValue Type: String ⫘
Field ⫘
Revision Type: Int ⫘
Field ⫘
Swid Type: Int ⫘
Field ⫘
SwidName Type: String ⫘
Field ⫘
Text Type: String ⫘
ThreatTip ⫘
Represents a CTU TIPS report.
Field ⫘
ID Type: String! ⫘
Field ⫘
Name Type: String! ⫘
Field ⫘
Active Type: Boolean ⫘
Field ⫘
Content Type: String! ⫘
Field ⫘
CreatedAt Type: Time ⫘
Field ⫘
UpdatedAt Type: Time ⫘
Field ⫘
Reference Type: String ⫘
ThreatURLInfo ⫘
Contains the parsed components of a URL when it is available.
Field ⫘
Query Type: String ⫘
Field ⫘
Scheme Type: String ⫘
Field ⫘
Port Type: String ⫘
Field ⫘
Path Type: String ⫘
Field ⫘
RequestURI Type: String ⫘
ThreatVid ⫘
Field ⫘
ID Type: String ⫘
Field ⫘
Name Type: String ⫘
Field ⫘
Swids Type: [ThreatSwid] ⫘
Field ⫘
ThreatAnalyses Type: [ThreatAnalysis] ⫘
Field ⫘
ThreatGroups Type: [ThreatGroup] ⫘
ThreatVidIntelligence ⫘
Field ⫘
reports Type: [ThreatReportRelationship] ⫘
Field ⫘
malware Type: [ThreatMalwareRelationship] ⫘
Field ⫘
groups Type: [ThreatGroupRelationship] ⫘
ThreatWhois ⫘
Provides any available whois information about an indicator.
Field ⫘
DomainName Type: String ⫘
Field ⫘
RegistrarName Type: String ⫘
Field ⫘
ContactEmail Type: String ⫘
Field ⫘
WhoisServer Type: String ⫘
Field ⫘
NameServers Type: String ⫘
Field ⫘
CreatedDate Type: String ⫘
Field ⫘
UpdatedDate Type: String ⫘
Field ⫘
ExpiresDate Type: String ⫘
Field ⫘
StandardRegCreatedDate Type: String ⫘
Field ⫘
StandardRegUpdatedDate Type: String ⫘
Field ⫘
StandardRegExpiresDate Type: String ⫘
Field ⫘
Status Type: String ⫘
Field ⫘
AuditAuditUpdatedDate Type: String ⫘
Field ⫘
RegistrantEmail Type: String ⫘
Field ⫘
RegistrantName Type: String ⫘
Field ⫘
RegistrantOrganization Type: String ⫘
Field ⫘
RegistrantStreet1 Type: String ⫘
Field ⫘
RegistrantCity Type: String ⫘
Field ⫘
RegistrantState Type: String ⫘
Field ⫘
RegistrantPostalCode Type: String ⫘
Field ⫘
RegistrantCountry Type: String ⫘
Field ⫘
RegistrantFax Type: String ⫘
Field ⫘
RegistrantTelephone Type: String ⫘
Field ⫘
AdministrativeContactEmail Type: String ⫘
Field ⫘
AdministrativeContactName Type: String ⫘
Field ⫘
AdministrativeContactOrganization Type: String ⫘
Field ⫘
AdministrativeContactStreet1 Type: String ⫘
Field ⫘
AdministrativeContactCity Type: String ⫘
Field ⫘
AdministrativeContactState Type: String ⫘
Field ⫘
AdministrativeContactPostalCode Type: String ⫘
Field ⫘
AdministrativeContactCountry Type: String ⫘
Field ⫘
AdministrativeContactFax Type: String ⫘
Field ⫘
AdministrativeContactTelephone Type: String ⫘
Inputs ⫘
CreateListInput ⫘
Field ⫘
name Type: String! ⫘
Field ⫘
description Type: String ⫘
Field ⫘
download_url Type: String ⫘
Field ⫘
items Type: [ListItemInput!] ⫘
Field ⫘
list_action Type: ListAction! ⫘
Field ⫘
confidence Type: Int! ⫘
Field ⫘
severity Type: Int! ⫘
Field ⫘
tags Type: [String] ⫘
DeleteListInput ⫘
Field ⫘
id Type: ID! ⫘
ListItemInput ⫘
Field ⫘
reference_id Type: String ⫘
Field ⫘
name Type: String! ⫘
Field ⫘
description Type: String ⫘
Field ⫘
item_type Type: ItemType! ⫘
Field ⫘
confidence Type: Int! ⫘
Field ⫘
severity Type: Int! ⫘
Field ⫘
tags Type: [String] ⫘
ListsArguments ⫘
Field ⫘
global Type: Boolean ⫘
Field ⫘
page Type: Int ⫘
Field ⫘
perPage Type: Int ⫘
Field ⫘
orderBy Type: OrderByOptions ⫘
ThreatGroupInput ⫘
Field ⫘
name Type: String! ⫘
Field ⫘
Objectives Type: [String] ⫘
Field ⫘
Aliases Type: [String] ⫘
Field ⫘
Tools Type: [String] ⫘
Field ⫘
Motivation Type: [String] ⫘
Field ⫘
IntendedEffect Type: [String] ⫘
Field ⫘
TargetSectors Type: [String] ⫘
Field ⫘
Description Type: String ⫘
Field ⫘
ActiveSince Type: Time ⫘
Field ⫘
LastKnownActivity Type: Time ⫘
Field ⫘
tags Type: [String] ⫘
ThreatHashesInput ⫘
Field ⫘
MD5 Type: String! ⫘
Field ⫘
SHA256 Type: String! ⫘
ThreatIdentityInput ⫘
Field ⫘
name Type: String! ⫘
Field ⫘
description Type: String ⫘
Field ⫘
roles Type: [String] ⫘
Field ⫘
identity_class Type: ThreatIdentityClass ⫘
Field ⫘
sectors Type: [ThreatIndustrySectors] ⫘
Field ⫘
contact_information Type: String ⫘
Field ⫘
natural_key Type: String ⫘
Field ⫘
download_URL Type: String! ⫘
Field ⫘
internal Type: Boolean ⫘
Field ⫘
confidence Type: Int! ⫘
Field ⫘
reason Type: [String] ⫘
ThreatIndicatorInput ⫘
Field ⫘
name Type: String ⫘
Field ⫘
description Type: String ⫘
Field ⫘
indicator_types Type: [ThreatIndicatorType] ⫘
Field ⫘
pattern Type: String ⫘
Field ⫘
pattern_type Type: ThreatPatternType ⫘
Field ⫘
pattern_version Type: String ⫘
Field ⫘
valid_from Type: Time ⫘
Field ⫘
valid_until Type: Time ⫘
Field ⫘
kill_chain_phases Type: [ThreatKillChainPhaseInput] ⫘
Field ⫘
score Type: Int ⫘
ThreatKillChainPhaseInput ⫘
Field ⫘
kill_chain_name Type: String ⫘
Field ⫘
phase_name Type: String ⫘
ThreatRelationshipInput ⫘
Field ⫘
type Type: ThreatObjectType! ⫘
Field ⫘
source_sharing_id Type: String! ⫘
Field ⫘
target_sharing_id Type: String! ⫘
Field ⫘
description Type: String ⫘
Field ⫘
src_desc Type: String ⫘
Field ⫘
tgt_desc Type: String ⫘
Field ⫘
mitre_attack_categories Type: [String] ⫘
Field ⫘
relationship_type Type: ThreatRelationshipType! ⫘
Field ⫘
source_ref Type: String! ⫘
Field ⫘
target_ref Type: String! ⫘
Field ⫘
confidence Type: Int ⫘
Field ⫘
indicator_class Type: ThreatIndicatorClass ⫘
Field ⫘
tags Type: [String] ⫘
Field ⫘
source_internal Type: Boolean! ⫘
Field ⫘
reference Type: String ⫘
Field ⫘
start_time Type: Time ⫘
Field ⫘
stop_time Type: Time ⫘
ThreatReportInput ⫘
Field ⫘
id Type: ID! ⫘
Field ⫘
name Type: String ⫘
Field ⫘
description Type: String ⫘
Field ⫘
created Type: Time ⫘
Field ⫘
modified Type: Time ⫘
Field ⫘
published Type: Time ⫘
Field ⫘
object_refs Type: [String] ⫘
Field ⫘
content Type: String ⫘
Field ⫘
tags Type: [String] ⫘
ThreatSwidInput ⫘
Field ⫘
Id Type: String ⫘
Field ⫘
Author Type: String ⫘
Field ⫘
CreatedAt Type: Time ⫘
Field ⫘
EngineGroupName Type: String ⫘
Field ⫘
FileName Type: String ⫘
Field ⫘
Priority Type: Int ⫘
Field ⫘
PriorityValue Type: String ⫘
Field ⫘
Revision Type: Int ⫘
Field ⫘
Swid Type: Int ⫘
Field ⫘
SwidName Type: String ⫘
Field ⫘
Text Type: String ⫘
Enums ⫘
ItemType ⫘
user
certificate
asset
domain
ipv4
ipv6
cidr
url
md5
sha256
sha1
unknown
ListAction ⫘
allow
block
warn
OrderByOptions ⫘
asc
desc
ThreatArchitectureExecutionEnvs ⫘
ThreatArchitectureExecutionEnvs
Important
For future use. Not currently implemented.
alpha
arm
ia_64
mips
powerpc
sparc
x86
x86_64
ThreatCapabilities ⫘
Defines the capabilites of a threat.
Important
For future use. Not currently implemented.
accesses_remote_machines
anti_debugging
anti_disassembly
anti_emulation
anti_memory_forensics
anti_sandbox
anti_vm
captures_input_peripherals
captures_output_peripherals
captures_system_state_data
cleans_traces_of_infection
commits_fraud
communicates_with_c2
compromises_data_availability
compromises_data_integrity
compromises_system_availability
controls_local_machine
degrades_security_software
degrades_system_updates
determines_c2_server
emails_spam
escalates_privileges
evades_av
exfiltrates_data
fingerprints_host
hides_artifacts
hides_executing_code
infects_files
infects_remote_machines
installs_other_components
persists_after_system_reboot
prevents_artifact_access
prevents_artifact_deletion
probes_network_environment
self_modifies
steals_authentication_credentials
violates_system_operational_integrity
ThreatIdentityClass ⫘
ThreatIdentityClass describes the type of entity that the Identity represents: whether it describes an organization, group, individual, or class.
individual
group
system
organization
class
unspecified
ThreatImplementationLanguages ⫘
ThreatImplementationLanguages
Important
For future use. Not currently implemented.
applescript
bash
c
c_plus_plus
c_sharp
go
java
javascript
lua
objective_c
perl
php
powershell
python
ruby
scala
swift
typescript
visual_basic
x86_32
x86_64
ThreatIndicatorClass ⫘
Describes the specific class of the indicator.
ipv4
ipv6
cidr
url
domain
md5
sha256
sha1
unknown
ThreatIndicatorType ⫘
ThreatIndicatorType is an open vocabulary used to categorize Indicators. It is intended to be high-level to promote consistent practices.
Indicator types should not be used to capture information that can be better captured from related Malware or Attack Pattern objects.
Note
It is better to link an Indicator to a Malware object.
anomalous_activity
anonymization
benign
compromised
malicious_activity
attribution
unknown
ThreatIndustrySectors ⫘
Describes industrial and commercial sectors.
agriculture
aerospace
automotive
chemical
commercial
communications
construction
defense
education
energy
entertainment
financial_services
emergency_services
government_local
government_national
government_public_services
government_regional
healthcare
hospitality_leisure
infrastructure_dams
infrastructure_nuclear
infrastructure_water
insurance
manufacturing
mining
non_profit
pharmaceuticals
retail
technology
telecommunications
transportation
utilities
ThreatMalwareType ⫘
Defines the types of malware.
adware
backdoor
bot
bootkit
ddos
downloader
dropper
exploit_kit
irc_botnet
keylogger
ransomware
remote_access_trojan
resource_exploitation
rogue_security_software
rootkit
screen_capture
spyware
trojan
unknown
virus
webshell
wiper
worm
ThreatObjectType ⫘
Defines the type of object.
indicator
identity
relationship
malware
intrusionset
report
ThreatParentType ⫘
Describes the indicator type as a generic.
IP
DOMAIN
URL
URI
FILE
CUSTOM
ThreatPatternType ⫘
ThreatPatternType is a non-exhaustive, open vocabulary that covers common pattern languages and is intended to characterize the pattern language that the indicator pattern is expressed in.
stix
pcre
sigma
snort
suricata
yara
ThreatRelationshipType ⫘
Declares the relationship types that are possible.
targets
uses
attributed_to
compromises
originates_from
investigates
mitigates
remediates
located_at
impersonates
based_on
communicates_with
consists_of
controls
delivers
has
hosts
beacons_to
exfiltrates_to
owns
indicates
authored_by
downloads
drops
exploits
variant_of
characterizes
analysis_of
static_analysis_of
dynamic_analysis_of
lists
listed_on
related_to
indirect
Scalars ⫘
Boolean ⫘
The Boolean scalar type represents true or false.
Float ⫘
The Float scalar type represents signed double-precision fractional values as specified by IEEE 754.
ID ⫘
The ID scalar type represents a unique identifier, often used to refetch an object or as key for a cache. The ID type appears in a JSON response as a String; however, it is not intended to be human-readable. When expected as an input type, any string (such as "4") or integer (such as 4) input value will be accepted as an ID.
Int ⫘
The Int scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1.
String ⫘
The String scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.
Time ⫘
Interfaces ⫘
Node ⫘
Field ⫘
id Type: ID! ⫘
Timestamps ⫘
Field ⫘
created_at Type: Time! ⫘
Field ⫘
modified_at Type: Time! ⫘
Field ⫘
age_at Type: Time ⫘
Field ⫘
deleted_at Type: Time ⫘